Modifying the owner of an NT security descriptor
5.00/5 (2 votes)
Helper class to set the owner of an NT security descriptor
Introduction
Time ago I wrote this pretty straightforward helper class to set the owner of an NT security descriptor. While there is a sample on the MSDN which allows setting the owner to Administrator, it fails when it comes to setting the owner to any other user. I've wrapped a working function in a simple class called CSecOwner. It supports setting the owner on a file/directory.
I am not giving a introduction into NT security or SD's, ACL's nor any other Windows security specific topics. This is way out of the scope. Just dig into MSDN and look for security.
Usage
CSecOwner exposes two functions:
BOOL CSecOwner::SetFileOwner(LPSTR UserName, LPSTR pFileName); BOOL CSecOwner::SetFileOwnerSID(LPBYTE UserSID, LPSTR pFileName);The first is used when you have a qualified username and a filename, the second when you already have a valid SID and the filename. Both functions return
TRUE on success and will pop up a messagebox in case of an error.
Be aware that you need certain privileges to successfully change the owner of a SD. While the class itself tries to enable the SE_RESTORE_NAME privilege, it will fail if you are not administrator or at least backup operator. The class does not replace the ACL but modifies it.
Demoproject
The included demo project allows selecting a file from a explorer like tree and sets the owner to any user of the current domain. The demo project uses the CDirTreeCtl class from Nicola Delfino.
Compatibility
CSecOwner is not unicode enabled. It is written and tested with VC6, but will compile under VC7 too. The sample uses MFC. And, NO, it does NOT run under Win9x/ME. This is strictly NT/W2k/XP (XP with simple file sharing disabled).